Security and Privacy Applied Research Lab

To Catch a Predator: A Natural Language Approach for Eliciting Malicious Payloads

Sam Small
Johns Hopkins University


We present an automated, scalable method for crafting dynamic responses to real-time network requests. Specifically, we provide a flexible technique based on natural language processing and string alignment techniques for intelligently interacting with protocols trained directly from raw network traffic. We demonstrate the utility of our approach by creating a low-interaction web-based honeypot capable of luring attacks from search worms targeting hundreds of different web applications. In just over two months, we witnessed over 368,000 attacks from more than 5,600 botnets targeting several hundred distinct webapps. The observed attacks included several exploits detected the same day the vulnerabilities were publicly disclosed. Our analysis of the payloads of these attacks reveals the state of the art in search-worm based botnets, packed with surprisingly modular and diverse functionality.


Sam Small is a Ph.D. candidate in the Department of Computer Science at Johns Hopkins University. His research interests include system and network security, security for resource-constrained devices, virtualization, and communication networks. Sam holds a B.S. in computer science from the College of William and Mary, an M.S.E. in computer science from Johns Hopkins University, and has served in fellowship programs with the National Institute of Standards and Technology and the National Science Foundation.